From 1209f95ec94a5c84ed9f4a23deff1e42dde5db69 Mon Sep 17 00:00:00 2001
From: Alexander Makarov <sam@rmcreative.ru>
Date: Wed, 3 Mar 2021 10:12:20 +0300
Subject: [PATCH] Fix #18535: Set Cookie SameSite to Lax by default

---
 CHANGELOG.md   | 1 +
 web/Cookie.php | 9 ++-------
 2 files changed, 3 insertions(+), 7 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f8f7ea2b76..f723027f66 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -24,6 +24,7 @@ Yii Framework 2 Change Log
 - Enh #18518: Add support for ngrok’s `X-Original-Host` header (brandonkelly)
 - Bug #18529: Fix asset files path with `appendTimestamp` option for non-root-relative base URLs (bizley)
 - Bug #18450: Allow empty string to be passed as a nullable typed argument to a controller's action (dicrtarasov, bizley)
+- Bug #18535: Set Cookie SameSite to Lax by default (samdark)
 - Bug #18539: Fix "driver does not support quoting" when using the driver pdo_odbc (xpohoc69)
 
 
diff --git a/web/Cookie.php b/web/Cookie.php
index f517ca3e09..7ba7d0268f 100644
--- a/web/Cookie.php
+++ b/web/Cookie.php
@@ -67,17 +67,12 @@ class Cookie extends \yii\base\BaseObject
     public $httpOnly = true;
     /**
      * @var string SameSite prevents the browser from sending this cookie along with cross-site requests.
-     * Please note that this feature is only supported since PHP 7.3.0
-     * For better security, an exception will be thrown if `sameSite` is set while using an unsupported version of PHP.
-     * To use this feature across different PHP versions check the version first. E.g.
-     * ```php
-     * $cookie->sameSite = PHP_VERSION_ID >= 70300 ? yii\web\Cookie::SAME_SITE_LAX : null,
-     * ```
+     *
      * See https://www.owasp.org/index.php/SameSite for more information about sameSite.
      *
      * @since 2.0.21
      */
-    public $sameSite;
+    public $sameSite = self::SAME_SITE_LAX;
 
 
     /**